This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to push a Docker image from Azure Pipelines to an Artifact registry

Posted on 09-05-2024 04:19 PM
cebundy
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am attempting to push a Docker image from Azure Pipelines to an Artifact registry.

When I try to setup a service connection in Azure Pipelines to https://us-west2-docker.pkg.dev/bustling-nomad-434602-q3/gcloud-docker-artifact  the fails with an authentication error.

#12 naming to us-west2-docker.pkg.dev/bustling-nomad-434602-q3/gcloud-docker-artifact:211 done
#12 DONE 2.7s
 
/usr/bin/docker push us-west2-docker.pkg.dev/bustling-nomad-434602-q3/gcloud-docker-artifact:211
 
REPOSITORY TAG IMAGE ID CREATED SIZE
us-west2-docker.pkg.dev/bustling-nomad-434602-q3/gcloud-docker-artifact 211 15a87057bdff 3 seconds ago 920MB
...
The push refers to repository [us-west2-docker.pkg.dev/bustling-nomad-434602-q3/gcloud-docker-artifact]
...
unauthorized: authentication failed
##[error]unauthorized: authentication failed
##[error]The process '/usr/bin/docker' failed with exit code 1

I can push the image using https://gcr.io/bustling-nomad-434602-q3 which then creates a gcr.io repository in my project.  
Here are my steps:

  1. Create a project (using the free trial)
  2.  Set gcloud config: gcloud config set project [project name]
  3.  Enable APIs:

 

gcloud services enable containerregistry.googleapis.com
gcloud services enable artifactregistry.googleapis.com

 

  • create service account: gcloud iam service-accounts create azure-pipelines-publisher --display-name "Azure Pipelines Publisher"
  • Assign the IAM roles, storage admin, artifact registry writer, artifact registry reader to the service account
  • Create a service account key: 

 

gcloud iam service-accounts keys create \
azure-pipelines-publisher.json --iam-account $AZURE_PIPELINES_PUBLISHER
tr -d '\n' < azure-pipelines-publisher.json > azure-pipelines-publisher-oneline.json

 

 

  • Create an Artifact registry in the project (the IAM roles for the service account are inherited from the project)
  • In Azure pipelines, create a service connection:
    1. Docker Registry: https://[LOCATION]/[PROJECT-ID]/[REGISTRY].
    2. Docker ID: _json_key
    3. Docker Password: Paste the contents of azure-pipelines-publisher-oneline.json
    4. Service connection name: gcrServiceConnection
  • In the YAML pipeline the repository is '[PROJECT-ID]/[REGISTRY]`
  • The pipeline task builds the image and attempts to push it to the Artifact registry.  Which fails with an authentication error, unless I use https://gcr.io/[PROJECT-ID] for the service connection. 
0 3 3,175
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
L1kruzing
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hey there 👋

Check JSON Key: Make sure it’s one line, no extra spaces.

Correct Roles: Confirm service account has Artifact Registry Reader/Writer roles.

Correct URL: Use https://us-west2-docker.pkg.dev/[PROJECT-ID]/[REPOSITORY].

Run: docker login -u _json_key -p "$(cat azure-pipelines-publisher-oneline.json)" https://us-west2-docker.pkg.dev

If login works, you’re set. If not, double-check for typos or permission issues. Cheers.

Posted on --/--/---- --:-- AM
cebundy
Bronze 1
Bronze 1
In response to L1kruzing
Reply posted on --/--/---- --:-- AM

Thanks for your response.  The login work so I changed the Azure DevOps service connection to use the https://us-west2-docker.pkg.dev url and the pipeline to use the repository spec bustling-nomad-434602-q3/locations/us-west2/repositories/gcloud-docker-artifact

The result was a different error:

 

The push refers to repository [us-west2-docker.pkg.dev/bustling-nomad-434602-q3/gcloud-docker-artifact]
943b35739f35: Preparing
...
dacaab4534e4: Waiting
denied: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.uploadArtifacts" on resource "projects/bustling-nomad-434602-q3/locations/us-west2/repositories/gcloud-docker-artifact" (or it may not exist)
##[error]denied: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.uploadArtifacts" on resource "projects/bustling-nomad-434602-q3/locations/us-west2/repositories/gcloud-docker-artifact" (or it may not exist)
##[error]The process '/usr/bin/docker' failed with exit code 1

 

I verified that the service does have the "artifactregistry.repositories.uploadArtifacts" for the registry:

cebundy_0-1725934176723.png

0 Likes

Posted on --/--/---- --:-- AM
L1kruzing
Bronze 3
Bronze 3
In response to cebundy
Reply posted on --/--/---- --:-- AM

Hey! Looks like you've got most of it set up correctly, but the auth issue is still a pain. Instead of sticking with the service connection in Azure Pipelines, try switching to using gcloud directly for Docker auth. Here’s what you can do:

1. Add a script step in your pipeline to handle the gcloud auth:

------

- script: |

    echo $(serviceAccountKey) > $(Build.SourcesDirectory)/key.json

    gcloud auth activate-service-account --key-file=$(Build.SourcesDirectory)/key.json

    gcloud auth configure-docker us-west2-docker.pkg.dev --quiet

  displayName: 'Authenticate using gcloud'

-----

2. Then, just make sure your Docker task uses that config without messing around with manual docker login:

-------

- task: Docker@2

  displayName: 'Build and Push Docker Image'

  inputs:

    containerRegistry: 'gcrServiceConnection' # Keep this pointing right if you're using the connection

    repository: 'gcloud-docker-artifact'

    command: 'buildAndPush'

    Dockerfile: 'Dockerfile'

    tags: '$(Build.BuildNumber)'

------

This should handle the authentication properly without those annoying “unauthenticated request” errors. Give it a shot and let me know if it still acts up! cheers -Kruzing 🤘

 

 

0 Likes
Top Labels in this Space